CMMC Practice Requirement:

Authorize remote execution of privileged commands and remote access to security relevant information.

CMMC Requirement Explanation:

By restricting which admins can conduct admin tasks remotely (e.g. via VPN connection) you are reducing the probability of an attacker being able to use a compromised account to access your systems and access security relevant information.

Example CMMC Implementation:

You can choose to completely restrict privileged accounts from accessing your network and system via a remote VPN connection. If that is not feasible see the below options. Document which of your system administrators are allowed to administer your systems via a remote VPN connection. Only place authorized admin accounts in security groups that allow for remote VPN access. Document the type of admin activity your admins can conduct remotely. An example is allowing them to provide desktop support services to end users but not allowing them to log into your active directory server via a VPN connection. Implement this using security groups. Restrict the ability to remotely access security relevant information such as your syslog server.

Scenario(s):

- Scenario 1:

To meet this security requirement your company prevents admins from connecting to your corporate network via VPN using their admin accounts. If they need to carry out privileged functions they must be onsite. The only exception to the rule is allowing members of the help desk to connect to workstations using a desktop support tool.
 

Discover Our NIST SP 800-171 Solutions:

 /assets/images/compliance_accelerator_white.png

Compliance Accelerator

For contractors seeking compliance
 /assets/images/quantum_assessor_white.png

Quantum Assessor

For IT service providers
 /assets/images/supply_chain_logo_white.png

Supply Chain Verifier

For contractors seeking to verify partner compliance